br Related work Goal of
Related work Goal of this section is to show related work focused on methods useful to assess the reliability of clustered COTS-based systems. Connelly et al.  propose an approach to delineate safety assurance for the use of COTS OS in safety-related applications, which must fall in SIL2. Their proposed solution is focused on developing encapsulation mechanisms able to isolate the influence of a COTS failure. They analyzed OS failure modes, which may affect safe functionalities, and then proposed mitigation techniques whose impact is not reported. Unlike , our work provides an entire methodology with tangible and quantified results that can be actually useful for other use. Qualitative estimations are definitely needed but not enough. Our contribution is a rigorous analysis of models and experimental results of the clustered system that gives deep evidence on the system reliability. Jones et al.  survey available practical methods useful to assess the safe integrity of COTS-based systems with standard IEC61508. Authors propose the adoption of testing techniques like stress, interface and statistical test (black-box methods) or tools available to check software, analyze data flows, and inject faults (white-box methods). Limitations of both methods are presented, i.e., the lack of failure data confidential to the supplier, the difficulty when computing results of tests without automated mechanisms, the problem of optimizing time-consuming tests, the difficulty of covering a wide range of software faults. Our paper does more than that: it defines an assessment methodology flow and shows an implementation on a real use case with also on-field evaluations. Park et al.  evaluate the effect of rejuvenation actions on the availability of an Active/Standby cluster. Authors defined a generic Markov model through which estimate how the system availability varies by changing repair time and Cy7 NHS ester of rejuvenation. Main weaknesses of this paper that we contribute to address are: (i) a purely theoretical estimation without evidence or proves from real world; (ii) an estimation of the best rejuvenation period without considering that the aging of the system depends on aging factors and so needs empirical evidence; (iii) the underestimation of the possibility that the cluster resource manager fails, which is something that can certainly occur. Skramstad et al.  perform a study of the possible solutions proposed by the academic and industrial community to address the certification of critical systems composed of COTS to a specific SIL level. They got to three different considerations: one could be to supervise the memory through memory mapped storage or by calculating checksums regularly; another one could be to test the system even though this is an unfeasible solution when the COTS is represented by a whole operating system; and finally, to diversify the adoption of COTS components to avoid common failure modes. This study, unlike ours, is fairly superficial, authors report few approaches available in literature without providing a comprehensive analysis. Finally, Pierce et al.  present a detailed report on how to assess Linux for SRS. This document provides guidelines that should set more guarantees on the OS reliability. Many OS features are identified as possible sources of failure and for this reason they should be disabled, i.e., the developer should create a monolithic kernel with a minimum number of functionalities. The conclusion of the study is that Linux, properly tuned, would be suitable for use in many safety related applications with SIL1 and SIL2 requirements. Such a work is indeed of value for the amount of information provided, but at the same time the effective impact of mitigation techniques on the reliability is not predicted. What emerges from literature is the lack of quantitative estimations and practical examples of certification assessment in industrial applications. Several techniques or approaches are presented but none of them can be actually of support for the certification. This work wants to bridge the gap by providing an entire verified approach to face the SIL2 certification of already existent systems set up.